On Sun, Jun 07, 2015 at 11:55:23PM +0200, Wouter Verhelst wrote: > On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote: > > On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote: > > > On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote: > > > > If that's not an option for some reason, then given that the packages > > > > are Free Software and of reasonably broad interest, you could at least > > > > upload a package to Debian containing the archive key, similar to > > > > pkg-mozilla-archive-keyring; that would establish a trust path. (Which > > > > doesn't solve the usability problem, but it does solve the trust > > > > problem.) > > > > > > True, but I don't think it is the best way forward. > > > > > > First, it would work for me, as long as I'm still contracting for the > > > government[1]. However, due to it being a *government* contract, this is > > > an inherently time-limited situation[2]. I want this situation to remain > > > manageable after the end of my contract. > > > > > > Second, while I wrote this in response to an immediate issue that I'm > > > dealing with, it should obvious that this isn't a problem specific to my > > > situation; I would prefer to have a situation which works for everyone, > > > not just for me. Having to maintain a package inside Debian isn't the > > > best solution for third-party developers. > > > > If you don't mind the solution being specific to Debian developers, > > though not to you in particular, then the future plans for Debian PPAs > > or similar should help here. In particular, those should inherently > > have a trust chain from the archive. > > Sure. They don't exist yet, however.
True, but then, neither does any other possible solution to your problem. Among the solutions that don't exist yet, PPAs seem preferable. > > And anything *not* specific to Debian developers shouldn't be automatic; > > if there's a means of signing something such that it is "trusted", that > > mechanism *must* be limited to DDs. > > Actually, we *already* have cases where stuff can be installed on a > Debian system without apt saying anything about it (and without > requiring manual steps) that involves someone preparing an upload who is > not a DD. It's called a DM. True, but DMs can only upload specific packages, not entire repositories full of packages. > Do we trust DMs to the same level that we trust DDs? No. Is that fine? > Sure. In the same vein, should we trust third-party repositories to the > same level that we trust DDs, or even DMs? Probably not. But then that's > not what I'm suggesting. > > Having said that, I do agree with you that we should not allow just > about anyone to create a repository which will be automatically trusted > by the whole Debian system. Establishing such a trust chain should, > indeed, require some vetting by at least one Debian Developer, so that > malicious packages can be rejected, if needs be. If there is an external entity we trust enough to upload arbitrary package to a repository from which packages will be installed on a Debian system without prompting, that entity should be a DD, since that's at least as much trust as we give to DDs. I don't think it's acceptable to give an *ongoing* blank check to anyone to upload arbitrary packages to such a repository without that someone being a DD. - Josh Triplett -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150607231809.GA801@x
